KB1020

Cloud Integration Service is disabled error when logging in to Axiom Software

Summary

When users of a cloud system attempt to log in to Axiom Software with their Active Directory (AD) credentials, they may encounter the following error: “The target Cloud Integration Service is currently disabled. Please contact your system administrator to re-enable this service or choose another connection that is available.” This error may occur sporadically, or to all users attempting to log in.

Details

When a cloud system uses Windows Authentication to allow users to log in to Axiom Software with their Active Directory credentials, the Axiom Cloud Integration Service (CIS) is used to facilitate this process. The CIS allows your cloud system to communicate with your organization's local Active Directory to authenticate users.

If there is an issue with the CIS—such as it is not running, or it is not enabled, or it is not configured according to the technical specifications—then Windows Authentication will not be available to the cloud system and users cannot log in. Users will see an error message such as the following:

If the error consistently occurs for all Windows Authentication users, the issue may be resolved by restarting the CIS on your on-premise server. If the error is not consistent, then the CIS may be intermittently losing connection to the Azure cloud.

Resolution

The following resolution steps can assist in troubleshooting and resolving this issue. The steps within Axiom Software must be performed by your Master System User (MSU) or any other user with administrator permissions. A qualified Information Technology professional is required for steps performed on the on-premise server hosting the CIS, or to verify the technical configuration of the CIS.

Verify the status of the Cloud Integration Service

If all users can’t authenticate, as a first step your MSU should verify that the on-premise CIS is running. To bypass the authentication issue, your MSU should log in with an Axiom Prompt account that has administrator permissions.

1. Log in to Axiom Software using a browser, and then use the Area menu in the Global Navigation Bar to select System Administration.

   

2. In the System Administration area, from the Navigation panel , select Infrastructure Section > Reset Services.

   

3. In the Current Server Status page, locate the Cloud Integration Service using the Service Type, and confirm the following:

   • Processor Status shows as Running.

   • Service Status shows as Started.

   

   If instead the statuses are Stopped or Unknown, contact your Information Technology department to restart the Axiom EPM Cloud Integration Service on the on-premise server using Microsoft Windows Services.

Alternatively, if you already have the Axiom Desktop Client open (Windows or Excel), you can check the status of the Cloud Integration Service using the About Axiom Software dialog.

1. On the Axiom tab, in the Help group, click the down arrow at the bottom of the Help button and then select About Axiom Software.

   

   NOTE: In systems with installed products, this feature may be located on the Main tab.

2. In the About Axiom Software dialog, locate the Cloud Integration Service listed in the Servers section. Verify that it shows as Started.

   

   If instead the service shows as Stopped or Unknown, contact your Information Technology department to restart the Axiom EPM Cloud Integration Service on the on-premise server using Microsoft Windows Services.

If your Information Technology department is not sure which on-premise server is hosting the CIS, the server name is shown on the Current Server Status page and the About Axiom Software dialog. In the previous examples, the server name is POSWAP09 (the listed service name without the -CIS suffix).

Verify that the Cloud Integration Service is enabled

Once you have verified that the CIS is running, you should check that the service is enabled in Scheduler. You must be logged in to the Desktop Client (Windows or Excel) as an administrator to perform these steps.

1. On the Axiom tab, in the Administration group, click Manage > Scheduler.

   NOTE: In systems with installed products, this feature may be located on the Admin tab. In the System Management group, click Scheduler.

2. In the Scheduler dialog, on the Service tab, click Servers.

3. Select the CIS server in the list, and verify that it is enabled. If it is not, select the check box for Cloud Integration Service Enabled, and then click Update.

   

   After refreshing the page, you should see the CIS server show as Enabled in the Processor Enabled column.

Verify that the Cloud Integration Server meets the network requirements

The CIS provides a secure bridge between your cloud system and resources on your organization’s network. The CIS is required when using Windows Authentication, and also when automating other processes that require local access, such as imports/exports between resources on your organization’s network and your cloud system.

Example TCP connections when CIS is used for Windows Authentication

If the previous steps did not resolve the issue, your Information Technology department should review the CIS network requirements in the Cloud Service Technical Guide—specifically the requirements for outbound port connections—and make any adjustments as needed. The service is outbound-initiated to establish a secure connection to your cloud system, then is bi-directional when a secure transfer between your domain and your cloud system is requested. When the service is idle, it sends heartbeat messages to your cloud system to broadcast its availability.

The CIS establishes a TLS handshake to the following resources in Microsoft Azure.

• Your Axiom Cloud System URL, for example: https://mycompany.axiom.cloud
• A dedicated Microsoft Azure Service Bus hub assigned to your cloud system, for example: https://axiom-prod-example-rdc.servicebus.windows.net

Once the handshake succeeds, Microsoft Azure assigns an IP address to any of the on-demand data transactions. The IP address does not have URL or Name resolution, but comes from the Microsoft Azure Datacenter IP range (US South region) published in the Microsoft Azure Datacenter IP Range list. If the minimum requirement to allow the outbound traffic cannot be met, setting up firewall rules that accept connections from Microsoft’s Azure Data Center, published weekly, may be required.

If the functionality of the CIS is intermittent, your IT department should confirm that the server hosting the service is:

• Not going through a web-proxy
• Allowed to communicate to the entire US South region IPs detailed in the Microsoft Azure Datacenter IP Range list
• Bypassing any SSL Inspection, SSL decryption, and/or SSL authorization policies
• Not going through any third-party network security tools (e.g. McAfee Web Application Gateway)
• Not subject to connection timeouts imposed by the firewall

Outcome

Following the specifications in this article should allow your Cloud Integration Service to stay connected to your Axiom cloud system, so that users can log in using Active Directory credentials.

See also

• Using Windows Authentication
• System administration
• Managing remote data connections
• Documents and downloads (Cloud Service Guides)

Article information

Category	Startup
Applies To	All versions
Tags	Connectivity, CIS, Cloud Integration Service, Windows Authentication, Active Directory, AD, disabled, Cloud Integration Server
Issue Number(s)	N/A